14 DAY TRIAL // The Certification Authority/Browser (CA/B) Forum and the United States National Institute of Standards and Technology (NIST) have determined that digital certificates with lengths below 2048 bits should be replaced because they’re not strong enough.
As a result, the CA/B Forum and NIST have instructed CAs to stop issuing 1024-bit certificates and revoke ones with key lengths below 2048. The deadline is December 31, 2013.
Symantec has recently published an advisory to warn organizations about the consequences of not upgrading their digital certificates. The threats posed by weak certificates are also highlighted by documents published by Brazilian TV show Fantastico. They show that the NSA used fake security certificates to intercept Google traffic.
“The consequences of relying on unsecured digital certificates to provide trust across global infrastructures and networks are extreme and costly,” Jeff Hudson, CEO of certificate management solutions provider at Venafi, told Softpedia.
“History has proven that poorly protected certificates and cryptographic keys are easy targets and open doors to data breaches, man-in-the–middle attacks and malware infections. The consequences range from common IP theft and eavesdropping to owning software update systems and destroying physical facilities,” Hudson added.
“Exacerbating the situation are recent NSA revelations that compromised or forged digital certificates were used for intelligence gathering activities that Forrester reports could cost US companies billions in lost revenue.”
The expert points to a recent Ponemon Institute study which shows that there are millions of certificates and keys deployed across corporate networks, yet 51% of organizations admit not having visibility into where they are, who manages them, or what policies govern their use.
Furthermore, all the organizations surveyed by Ponemon admitted suffering attacks on keys or certificates over the last two years.
“Symantec’s blog, which follows earlier recommendations from NIST, is a great reminder that now is the time to start taking action. Trust must be better protected. The Ponemon findings are a great reminder that the only way organizations are going to be effective is if they have a solution in place that will allow them to automate the revocation and replacement process,” Hudson noted.
“Organizations that fail to identify, revoke and replace all of their weak certificates—and then continuously monitor for anomalies—are sitting ducks and will certainly fall prey to every level and form of cybercriminal, lone-wolf hacker or government organization, all of which know how to launch certificate-based attacks that yield productive pay days and inflict massive financial impact.”